Add Code Signing for Datum Desktop Windows Installer

[bmertens-datum]

Summary

Sign the Datum Desktop Windows installer EXE so Windows recognizes the publisher and reduces warnings.

Motivation

Unsigned installers show "Unknown Publisher" and create friction for users installing Datum Desktop.
Code signing improves trust, install success, and reduces blocking behavior in Microsoft Edge downloads.

Goals

• Sign Datum Desktop Windows installer during build/release
• Use SHA256 signing with timestamp
• Ensure "Datum" shows as publisher in Windows
• Improve Microsoft Edge download and run experience (reduce blocking/warnings)

Non-Goals

• EV certificate (future consideration)
• Microsoft Store distribution

Implementation

1. Obtain a code signing certificate (OV or EV) for Datum
2. Install Windows SDK (includes SignTool)
3. Securely store certificate (CI secret or hardware token for EV)
4. Add signing step to release pipeline

Example:

signtool sign /fd SHA256 /tr http://timestamp.digicert.com
/td SHA256 /a datum-desktop.exe

5. Verify signature:

signtool verify /pa datum-desktop.exe

References

• SignTool documentation: https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
• Signing guide: https://learn.microsoft.com/en-us/windows/win32/appxpkg/how-to-sign-a-package-using-signtool

Acceptance Criteria

• Datum Desktop installer is signed in CI/CD
• Windows shows valid publisher (no "Unknown Publisher")
• Microsoft Edge allows download and run with reduced warnings
• Installer installs without major SmartScreen blocking